Explore "cui" with insightful episodes like "CS2 Boston Preview", "2024 Rulemaking Calendar", "The Truth About the False Claims Act", "CMMC and the Supreme Court" and "New Strategy, Who NDIS?" from podcasts like ""Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup" and "Sum IT Up: CMMC News Roundup"" and more!
Register for CS2 | Boston here: https://cs2.cloud/boston
It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC.
Podcast listeners get 20% off registration with the code SUMITUPBOSTON
Episode Links:
CS2 Boston: https://cs2.cloud/boston
DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm
Register for CS2 | Boston here: https://cs2.cloud/boston
If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024.
Listener discount code: SUMITUPBOSTON
Episode Links:
[Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule
CS2 Boston: https://cs2.cloud/boston
Midnight Rulemaking: https://www.gao.gov/products/gao-23-105510
Register for CS2 | Boston: https://cs2.cloud/boston
This week we're joined by Alex Canizares to catch up on enforcement trends under the False Claims Act. As a former DOJ trial attorney, Alex walks us through the finer details of FCA cases and what it means for CMMC, defense contractors, and the road ahead.
Episode Links:
Alex Canizares: https://www.linkedin.com/in/alexandercanizares/
Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/dod-issues-proposed-cmmc-rule-requiring-cybersecurity-assessments-of-contractors.html
Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/proposed-far-rules-introduce-new-compliance-obligations-and-false-claims-act-risks-for-government-contractors.html
Cyber Civil Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative
CS2 discount code for our listeners: SUMITUPBOSTON
The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC?
Episode Links:
Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/
Lawfare Article: https://www.lawfaremedia.org/article/a-cyber-threat-to-u.s.-drinking-water
Cyber Law Podcast: https://open.spotify.com/show/3Co2wdTUaZr4Xqnlxs4soG?si=64382c0b7b7a49c9
Tech Policy Podcast: https://open.spotify.com/episode/1klWdGIAxI7YBTljMvI412?si=ea93f23b3f9143cb
Dissed Podcast: https://open.spotify.com/episode/70GmGuWyEyKI2qNLcqlSIv?si=c69a3b6337ea4227
National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
Chevon Deference: https://ballotpedia.org/Chevron_deference_(doctrine)
Auer Deference: https://ballotpedia.org/Auer_deference
The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC.
Episode Links:
Register for CS2 Boston: https://cs2.cloud/boston
NDIS: https://www.businessdefense.gov/NDIS.html
DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/
“The Last Supper”: https://www.washingtonpost.com/archive/business/1997/07/04/how-a-dinner-led-to-a-feeding-frenzy/13961ba2-5908-4992-8335-c3c087cdebc6/
View the full webinar, CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule On-Demand here: https://www.summit7.us/webinars/proposed-cmmc-rule
Summit 7 CMMC Solutions: https://www.summit7.us/cmmc-level-solution-sets
The DoD Inspector General released a special report comparing their contractor cyber assessment findings with their findings during DOJ false claims act investigations. No surprise, the same cybersecurity issues pop up again and again. Will this add fuel the CMMC fire?
Episode Links:
The IG Report: https://www.dodig.mil/reports.html/Article/3606026/special-report-common-cybersecurity-weaknesses-related-to-the-protection-of-dod/ The IG project announcement for C3PAOs: https://www.dodig.mil/reports.html/Article/3536652/project-announcement-audit-of-the-dods-process-for-accrediting-third-party-orga/
171r3 Webinar (NIST): https://csrc.nist.gov/Events/2024/critical-updates-to-nist-cui-publications
171r3 Comments Extended: https://csrc.nist.gov/News/2023/drafts-of-800-171-rev-3-and-800-171a-rev-3-availab
Halloween episode: https://youtu.be/jy2AHrSztjM?si=7h6cW30Gr25Gx11X
It's Christmas time so we put together our wishlist of what we'd like to see in the upcoming CMMC rule.
.
For CMMC resources, solutions & more visit: https://www.summit7.us/cmmc-level-solution-sets
The November Cyber AB Town Hall was recapped the CMMC ecosystem highlights from 2023. Assessor numbers have increased, but will there be enough assessment capacity to meet demand?
Episode links:
Cyber AB Town Halls: https://cyberab.org/News-Events/Town-halls/Details/november-town-hall
.
Natty Stratty Discussion: https://youtu.be/QvaLdx_wb1U?si=pgIabPLZJpGGVDS-
OIRA's review of the CMMC rule is nearly complete and we expect the CMMC proposed rule to be published sometime between Thanksgiving and mid-December. On top of that, DoD has initiated rulemaking to revise DFARS clause 252.204-7012. In this episode we dive into the rulemaking feast.
The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are out. There are simultaneously more and fewer requirements. ODPs have gone away, but not really. Problematic assumptions were reversed only to be repeated. Up is down; left is right; and the final revisions are expected in a few short months. Today we dive into the first 7 things you need to know.
Episode Links:
.
800-171r3 Final Draft: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd
.
800-171Ar3 Initial Draft: https://csrc.nist.gov/pubs/sp/800/171/a/fpd
.
Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
.
Sum IT Up: Live (CS2 Denver): https://youtu.be/td8Te1LZfEI?si=Yh7SIM2A9SFjMVMK
The regulatory review of the CMMC rule is coming to an end. That means we should see a published CMMC rule in the next few weeks. In this episode Jason and Jacob dive into 7 things you need to know to hit the ground running when the public comment window opens.
Episode Links: CMMC rulemaking entry: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0790-AL49
In this episode we dive into best practices for submitting comments on the next drafts of NIST SP 800-171r3 and SP 800-171A. We also go deep on the contours of NIST SP 800-172. Happy 1 year anniversary to the show!
Register for CS2 | Denver: https://cs2.cloud/
The biggest debate around CMMC: whether the rule should be “interim final” or “proposed”. On average it takes around a year longer for proposed rules to go into effect. This begs the question: if the 2020 CMMC rule was interim final, why wouldn't the 2023 CMMC rule be interim final as well? Has the national security justification for interim final status in previous rules changed for the better?
CS2 | Denver discount code: SUMITUPCS2DEN
Episode Links:
CS2 Denver: https://cs2.cloud/
LinkedIn Poll: https://www.linkedin.com/posts/jacob-evan-horne_3-years-ago-this-month-the-dod-issued-the-activity-7110270262020857856-l6Om
It can be easy to lose perspective on the critical role that the CMMC program plays in the larger national defense strategy of the United States – especially if you don't work in the Pentagon. On top of that, the DoD is in full radio silence until the end of the public comment period on the upcoming CMMC rule. However, if you dig deep enough into DoD's strategy documents you'll quickly find that the CMMC program is a critical element of the national defense strategy of the United States.
Episode Links:
CS2 Denver: https://cs2.cloud/
2023 DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/#:~:text=The%20strategy%20highlights%20DOD's%20actions,protect%20the%20defense%20industrial%20base
2022 National Defense Strategy: https://www.defense.gov/News/News-Stories/Article/Article/3202438/dod-releases-national-defense-strategy-missile-defense-nuclear-posture-reviews/#:~:text=The%202022%20National%20Defense%20Strategy%2C%20or%20NDS%2C%20places,of%20U.S.%20allies%20and%20partners%20on%20shared%20objectives.
2023 National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
Additional Context: https://www.linkedin.com/posts/jacob-evan-horne_2023-dod-cyber-strat-summary-activity-7107765455938822145-ibdi
CMMC in Canada: https://www.ccc.ca/en/announcements/government-of-canada-program-for-cyber-security-certification/
Register for CS2 | Denver: https://cs2.cloud/
Register for CS2 | Denver: https://cs2.cloud/
If you google DFARS 7021 you'll see that the CMMC contract clause has an “effective date” that isn't very old. Recently this has caused a folks to think that something has changed with CMMC before the rulemaking process has finished. In this episode we dive into what's going on with “effective date” disparities, the rulemaking process, and how to sniff out bad information.
Episode Links:
Deep dive with Lauren Ayers: https://youtu.be/lPQbO9872IQ?si=h8ojZyOYTxEkxeWY
Rulemaking update: https://youtu.be/qyLDQxo-YPg?si=SHGUHNzlY_4-XkBA
https://www.ecfr.gov/
https://www.acquisition.gov/
CS2 discount code for Sum IT Up listeners: SUMITUPCS2DEN
Register for CS2 | Denver: https://cs2.cloud/
The 2023 Federal Cybersecurity Vulnerability Reduction Act directs the government to change cybersecurity requirements for contractors. How will changes to federal acquisition regulations affect defense contractors? How many more vulnerability controls does NIST have on-deck that could be included? This week Jason and Jacob dive into what's coming around the bend.
Episode Links:
Legislation: https://www.congress.gov/bill/118th-congress/house-bill/5255/text
LinkedIn Discussion: https://www.linkedin.com/posts/jacob-evan-horne_federal-cybersecurity-vulnerability-reduction-activity-7102336020951519233-kM1L
800-53B: https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final
800-171r3 IPD: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf
The Cyber AB Town Hall for August 2023 was full of encouraging numbers. The number of people certified in various CMMC ecosystem roles continues to increase. Successful Joint Surveillance Assessments are also up and a recent Reddit post contained fascinating details about the the cost and complexity of a real-world CMMC assessment.
Episode Links:
https://old.reddit.com/r/CMMC/comments/15zawp6/mission_accomplished/
https://old.reddit.com/r/NISTControls/comments/15zaxnl/mission_accomplished/
OIRA Leak Episode: https://youtu.be/b_CthhFXLfw?si=hD9RJHTU_D7jqm85
Register for CS2 | Denver: https://cs2.cloud/
CS2 | Denver podcast discount code: SUMITUPCS2DEN
Register for CS2 | Denver and catch the Sum IT Up 1 Year Anniversary show LIVE: https://cs2.cloud/
Just a few weeks after the end of the public comment period on NIST SP 800-171r3 and NIST has released their official summary. Timelines are on track and industry focused overwhelmingly on just a few things. Overall, NIST is planning some changes that will likely result in a larger 171r3. This week Jacob and Jason dive into what NIST is saying between the lines.
*** ERRATA: NIST plans to release the next drafts in Q4 2023, not Q4 2024***
Episode Links:
171r3 Project page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
CS2 Denver: https://cs2.cloud/
Not even a week after DoD submitted the CMMC rule for regulatory review and the Office of Information and Regulatory Affairs accidentally posted the updated (draft) documents for all 3 levels of CMMC. In this episode we dive deep into new information about CMMC Level 3 and share our key takeaways from sneak peek of what's to come.
Episode Links:
SP 800-171r2 : Protecting Controlled Unclassified Information in Nonfederal Systems (nist.gov)
SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
SP 800-171 ODP Poll Results: https://www.linkedin.com/posts/jacob-evan-horne_last-week-nist-posted-the-public-comments-activity-7092152417344999424--IvO
In November 2021 the #DoD announced CMMC 2.0. Then they announced that it would 9 – 24 months to go through rulemaking for #CMMC to become a reality. On July 24th, 2023, roughly 20 months later, DoD officially submitted the CMMC rule to the Office of Management and Budget. In this episode Jason and Jacob dive into what it all means for defense contractors moving forward.
Episode Links:
Cyber AB Town Hall (July ‘23): https://cyberab.org/News-Events/Town-Halls/Details/july-2023-town-hall
7 Things to Know About Rulemaking: https://www.summit7.us/blog/cmmc-rulemaking-updates-august-2023
Amira Armond on assessment types/pros/cons: https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-activity-7092146281032122370-XXIs
Acronym Soup: https://www.acronymsoup.org/
Stay up to date
For any inquiries, please email us at hello@podcastworld.io